HTTP cross-site scripting attempt detected (HTTP_GETargscript)

About this signature or vulnerability

IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Desktops, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Network Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network IPS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor:

This event triggers when a Cross Site Scripting attack is detected within the query string portion of an HTTP request, as opposed to the URL data of the request.

This signature detects an HTTP GET request that contains a Cross Site Script attack in the argument data of an HTTP request. Because of the unusual nature of this exploit, this signature cannot report the true intruder. During this exploit, the victim communicates with an HTTP server that the intruder has chosen. However, this HTTP server is simply a "means to an end" and plays no role in the actual attack. The damage is done when Web Browser executes script in its while processing the data returned by the web server. The real intruder may be indicated by other events reported coincidently with this one. This event is superceded by the 'Cross_Site_Scripting' event.


False positives

IBM Security Host Protection for Servers (Unix), IBM Security Host Protection for Desktops, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology, IBM Security Network Protection, Proventia Network MFS, Proventia-G 1.1 and earlier, Proventia Network IDS, Proventia Network IPS, IBM Security Host Protection for Servers (Windows), RealSecure Server Sensor:

A cross site scripting attack is not necessarily detected when this event triggers. Many web applications use self-injection algorithms which this event and other XSS events will readily detect.

A false positive may exist when an esoteric XSS vector is not actually being exploited and when certain JavaScript functions are detected.

The triggering of the event does not necessarily indicate malicious intent.

False negatives

IBM Security Host Protection for Servers (Unix): An effort has been made to cover well-known vectors of Cross Site Scripting attacks, but due to the nature of Web application development, it is not always possible to provide protection for unknown vectors and XSS implementations.

Default risk level

Medium risk vulnerability  Medium

Sensors that have this signature

IBM Security Host Protection for Servers (Unix): 2.2.2, IBM Security Host Protection for Desktops: 8.0.614.1, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 1.0, IBM Security Network Protection: 5.1, Proventia Network MFS: 1.0, Proventia-G 1.1 and earlier: G Series, Proventia Network IDS: A Series, Proventia Network IPS: 2.0, IBM Security Host Protection for Servers (Windows): 1.0.914.0, IBM Security Host Protection for Servers (Windows): 2.1.14.2400, RealSecure Server Sensor: 7.0

Systems affected

IETF HTTP/1.1

Type

Unauthorized Access Attempt

Vulnerability description

Microsoft Internet Explorer allows a malicious Web site operator to inject executable code in the index.dat file, by including Javascript in a URL. Internet Explorer uses the index.dat file to store recently visited URLs and maintain a listing of subfolders in the Temporary Internet Files folder. After code is injected into index.dat, the attacker can parse the file to execute the code, using the OBJECT TYPE="text/html" variable to bypass security restrictions in Internet Explorer. When the file is parsed, the JavaScript executes as trusted code, because index.dat is registered as local content by the Internet Explorer security mechanism.

A malicious Web site operator could use this to execute any malicious JavaScript on a visiting user's computer, including code that would list the names of the cache folders in the Temporary Internet Folders directory. If an attacker knows the names of the cache folders, the attacker can execute other files that have been downloaded to the visiting user's computer and cached in these folders.

How to remove this vulnerability

Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS01-027. See References.

For IE 5.01 SP1:
Microsoft originally provided a patch for this vulnerability in MS00-093, but it was superseded by the patch released with MS01-015 and then superseded with MS01-027.

As a workaround, disable Active Scripting.

References

ISS X-Force
HTTP cross-site scripting attempt detected
http://www.iss.net/security_center/static/6784.php